On Mon, 17 Nov 2008 10:15:06 EST, dxp said:
> Many trojans these days can easily bypass defautl firewall protection in
> XP Sp2. If any of those include self replication with exploit against
> some vulnerability (ms08-067) then history will be repeated, to a
> certain extent.
Read carefully what I said - the trojan needs to have *already* gotten into the
box to turn off the firewall. If you get a worm trying to exploit (for
example) ms08-067, and it tries to go scanning across a subnet to find
vulnerable boxes, it's simply not going to find a lot. Yes, it will find a
*few* older boxes that still don't have a good firewall - but for *most* of
them, the firewall will stop things before the packet gets in far enough to
exploit ms08-067.
(Of course, if you found a really cool exploit against the firewall code itself,
that allowed you to abuse the firewall to run your code before it rejected
your packet, you'd be on to something big... :)
Now, using that botted box as a fast-flux exploit-on-demand server that's
pointed to by a malicious URL planted elsewhere - *THAT* will work just fine.
- application/pgp-signature attachment: stored
Received on Nov 17 2008
Intro
